DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-40155: CVE-2026-40155: Race Condition in Auth0 Next.js SDK DPoP Proxy Fetcher

#security #cve #cybersecurity

CVE-2026-40155: Race Condition in Auth0 Next.js SDK DPoP Proxy Fetcher

Vulnerability ID: CVE-2026-40155
CVSS Score: 5.4
Published: 2026-04-21

A race condition vulnerability in the Auth0 Next.js SDK (versions 4.12.0 through 4.17.1) leads to improper proxy cache lookups during Demonstrating Proof-of-Possession (DPoP) nonce retries. This flaw allows concurrent proxy requests to cross-pollinate state, potentially exposing sensitive session data to the wrong client.

TL;DR

The Auth0 Next.js SDK improperly shares stateful fetcher instances across concurrent proxy requests when handling DPoP challenges. This race condition can result in cross-session data exposure. Upgrading to version 4.18.0 resolves the issue by securely scoping cryptographic handles to individual requests.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-362
  • Attack Vector: Network
  • CVSS v3.1 Score: 5.4 (Medium)
  • EPSS Score: 0.0004 (12.12%)
  • Primary Impact: Confidentiality Loss (Cross-Session Data Exposure)
  • Exploit Status: Proof of Concept (Integration Tests)
  • CISA KEV: Not Listed

Affected Systems

  • @auth0/nextjs-auth0 (Versions 4.12.0 through 4.17.1)
  • @auth0/nextjs-auth0: >= 4.12.0, <= 4.17.1 (Fixed in: 4.18.0)

Code Analysis

Commit: 98c36dc

Fix: Remove proxyFetchers LRU cache, bind DPoP handles correctly.

- private proxyFetchers: { [audience: string]: Fetcher<Response> } = {};
+ private proxyDpopHandles: { [audience: string]: oauth.DPoPHandle } = {};
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade @auth0/nextjs-auth0 dependency to the patched version.
  • Monitor proxy handler logs for unusually high frequencies of HTTP 401 DPoP challenges.
  • Audit application architecture to ensure DPoP is correctly configured in conjunction with updated SDK versions.

Remediation Steps:

  1. Identify all projects utilizing @auth0/nextjs-auth0 between versions 4.12.0 and 4.17.1.
  2. Update the dependency using your package manager: npm install @auth0/nextjs-auth0@^4.18.0.
  3. Execute integration test suites to confirm proxy handlers continue to function correctly with DPoP enabled.
  4. Deploy the updated application build to production environments.

References

Read the full report for CVE-2026-40155 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)